Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Winantispywear and trojans

thor5thorson

Posted 23 September 2005 - 06:41 PM

HI I've had been having some spyware issues recently on my PC and it has been going on for the past few days. The problem is usually the same:

- I open an IE window- I get an Alert pop-up:

"If your computer has been running slower than normal, it may be infected with Adware or Spyware. WinAntiSpyware 2005 performs a FREE scan of your system. Download WinAntiSpyware 2005 FREE now!"

- Close the alert using the red X button- Opens a new browser window to WinAntiSpyware2005.com- Close the browser window- Another alert about not running the scan- Close the alert- more Alerts! More redirects!

I've run Clean-up, Ad-ware SE, CWShredder, Spybot Search and destroy, Trend house call and Trojan Hunter. Trojan Hunter says it found Virtumancle.110 and it is unable to rename C:windows/system32/gebba.dll. Then renamed C:/windows/system32/khhfe.dll to C:windows/system32/khhfe.dll.tcfI have avast for a antivirus and it comes up with a trojan horse found I try to move it to the chest or delete but it says its unable to rename or something like that the error file is C:/system volume information_restore{987E0331-0F01-427C-A58-7A2E4AABF84D}\RP331\A0034706.dll. and the program also says everyonce in a while, net work shield blocked 23.09.2005 19:32:42 DCOM Exploit attack from 216.244.254.140:135

If one of the files is not listed please don't go further but tell me first!

Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning and a list of forums to seek help at.
it should look like this

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

thor5thorson

Posted 24 September 2005 - 04:36 PM

thor5thorson

New Member

Topic Starter

Member

8 posts

Hey i really apperciate your help there is no way i could do this on my own. but i think ive been having more problems. I started your directions with the VundoFix.exe and saw all the files there and started the computer in safemode then started entering the file paths. I thought i did everything correctly but the hijack didnt start up automatically so i dont know if the fix ran or not. So i opened the hijack within the vundofix.exe folder. i checked "O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)" but didnt not see the "O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\gebba.dll (file missing). Then Checked "O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file),O20 - Winlogon Notify: gebba - C:\WINDOWS\system32\gebba.dll (file missing), andO20 - Winlogon Notify: khhfe - C:\WINDOWS\system32\khhfe.dll (file missing)." And after I did that it did not automatically reboot. So i rebooted it myself. I saw no blue screen of death. So i did clean up sucessfully as far as I know. Now here is the weird part I did the Active scan from the link you put on your first reply. It went to a pandasoftware.com. when it was scanning my avast warning come up showing a worm/virus from that website!! It said 9/24/2005 5:00 and 5:23 PM System 1340 Sign of "Win32:CTX" has been found in "http://www.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" filemy hijack log was

I didnt have a copy of the results of the Active Scan because of the worm/virus warning from avast so i didnt finish scan. I also dont know where to find the vundofix.txt file report??? Sorry Im not the best with computers but I am trying.thanks again for your help.

thor5thorson

Posted 25 September 2005 - 02:43 PM

thor5thorson

New Member

Topic Starter

Member

8 posts

Hey Didom, well i followed your instructions except that active scan i was just making sure you thougt it was safe since last time i did it my avast antivirus came up with the worm/virus warning comming from that website. it said, 9/24/2005 5:00 and 5:23 PM System 1340 Sign of "Win32:CTX" has been found in "http://www.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL"

I also thought I'd tell you that inbetween your replies I did a system check with avast and it found two trojan horses it saidgebba.dll.tct and khhfe.dll.tcf system location C:\windows\system32.

so i did Ewido Security it said --------------------------------------------------------- ewido security suite - Scan report---------------------------------------------------------

thor5thorson

Posted 26 September 2005 - 06:56 PM

thor5thorson

New Member

Topic Starter

Member

8 posts

Didom,Hey I've tried to use the panda active scan three more times from the website www.pandasoftware.com using versison 5.50.01 but every time my avast antivirus software aborts the connection. it says, "A VIRUS WAS FOUND! Thre is no reason to worry, though. avast! has stopped the malware before it could enter your computer. File name: http://www.pandaware.com/activescan/as5fre...or.cab\psk Malware name: Win32:CTX malware type: virus/worm VPS version: 0539-0, 09/26/05It stops the scan and gives no other option except to abort the scan. Is there another scan that we can do?? do you know why this WARNING would come up?? It just came up again and i only had their web page open?!?!? CRAZY. any other options??

didom

Posted 28 September 2005 - 02:57 AM

didom

Member 1K

Member

1,919 posts

Please reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

thor5thorson

Posted 02 October 2005 - 03:51 PM

thor5thorson

New Member

Topic Starter

Member

8 posts

Sorry its been a while i had a pathology test to study for. I followed the instructions to show all the hidden files and folders but i could not find the file C:\WINDOWS\SYSTEM32\cbxxv.dll. I tried to look manually and did a search on the computer for it but it was not there. I again inactivated my antivirus and did the panda on line active scan and it said "Scan finished, No viruses or other malicious software have been found!" I did not see a scan log for that active scan.

Posted 02 October 2005 - 04:03 PM

thor5thorson

Posted 05 October 2005 - 07:08 AM

thor5thorson

New Member

Topic Starter

Member

8 posts

I think everything is working well but it still seems a little slow. the second time i did the active scan it only gave a few options of what to scan and not a full system scan do you think it might have missed something??